Federal contractors are currently exempt from requirements to have Vulnerability Disclosure Policies for the information systems used in the fulfillment of their contracts.
“VDPs are a crucial tool used to proactively identify and address software vulnerabilities,” said U.S. Sen. Mark Warner, D-Va., the chair of the Senate Intelligence Committee, who introduced the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024, legislation aimed at strengthening federal cybersecurity by ensuring that federal contractors adhere to guidelines set forth by the National Institute of Standards and Technology.
VDPs provide a way for organizations to receive unsolicited reports of vulnerabilities within their software so that they can be patched before an attack takes place. The reports on suspected security vulnerabilities in information systems are among the best ways for developers and services to become aware of issues.
Currently, civilian federal agencies are required to have VDPs, but there is no requirement for federal contractors – civilian or defense – to have VDPs in place.
The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024 would require the implementation of VDPs among federal contractors and formalize actions to accept, assess, and manage vulnerability disclosure reports in order to help reduce known security vulnerabilities among federal contractors.
“This legislation will ensure that federal contractors, along with federal agencies, are adhering to national guidelines that will better protect our critical infrastructure, and sensitive data from potential attacks,” Warner said.